1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (c) 2020 Hannes Reinecke, SUSE Linux 4 */ 5 6 #include <linux/module.h> 7 #include <linux/crc32.h> 8 #include <linux/base64.h> 9 #include <linux/prandom.h> 10 #include <linux/scatterlist.h> 11 #include <linux/unaligned.h> 12 #include <crypto/dh.h> 13 #include <crypto/sha2.h> 14 #include <linux/nvme.h> 15 #include <linux/nvme-auth.h> 16 17 static u32 nvme_dhchap_seqnum; 18 static DEFINE_MUTEX(nvme_dhchap_mutex); 19 20 u32 nvme_auth_get_seqnum(void) 21 { 22 u32 seqnum; 23 24 mutex_lock(&nvme_dhchap_mutex); 25 if (!nvme_dhchap_seqnum) 26 nvme_dhchap_seqnum = get_random_u32(); 27 else { 28 nvme_dhchap_seqnum++; 29 if (!nvme_dhchap_seqnum) 30 nvme_dhchap_seqnum++; 31 } 32 seqnum = nvme_dhchap_seqnum; 33 mutex_unlock(&nvme_dhchap_mutex); 34 return seqnum; 35 } 36 EXPORT_SYMBOL_GPL(nvme_auth_get_seqnum); 37 38 static const struct nvme_auth_dhgroup_map { 39 char name[16]; 40 char kpp[16]; 41 } dhgroup_map[] = { 42 [NVME_AUTH_DHGROUP_NULL] = { 43 .name = "null", .kpp = "null" }, 44 [NVME_AUTH_DHGROUP_2048] = { 45 .name = "ffdhe2048", .kpp = "ffdhe2048(dh)" }, 46 [NVME_AUTH_DHGROUP_3072] = { 47 .name = "ffdhe3072", .kpp = "ffdhe3072(dh)" }, 48 [NVME_AUTH_DHGROUP_4096] = { 49 .name = "ffdhe4096", .kpp = "ffdhe4096(dh)" }, 50 [NVME_AUTH_DHGROUP_6144] = { 51 .name = "ffdhe6144", .kpp = "ffdhe6144(dh)" }, 52 [NVME_AUTH_DHGROUP_8192] = { 53 .name = "ffdhe8192", .kpp = "ffdhe8192(dh)" }, 54 }; 55 56 const char *nvme_auth_dhgroup_name(u8 dhgroup_id) 57 { 58 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map)) 59 return NULL; 60 return dhgroup_map[dhgroup_id].name; 61 } 62 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_name); 63 64 const char *nvme_auth_dhgroup_kpp(u8 dhgroup_id) 65 { 66 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map)) 67 return NULL; 68 return dhgroup_map[dhgroup_id].kpp; 69 } 70 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_kpp); 71 72 u8 nvme_auth_dhgroup_id(const char *dhgroup_name) 73 { 74 int i; 75 76 if (!dhgroup_name || !strlen(dhgroup_name)) 77 return NVME_AUTH_DHGROUP_INVALID; 78 for (i = 0; i < ARRAY_SIZE(dhgroup_map); i++) { 79 if (!strlen(dhgroup_map[i].name)) 80 continue; 81 if (!strncmp(dhgroup_map[i].name, dhgroup_name, 82 strlen(dhgroup_map[i].name))) 83 return i; 84 } 85 return NVME_AUTH_DHGROUP_INVALID; 86 } 87 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_id); 88 89 static const struct nvme_dhchap_hash_map { 90 int len; 91 char hmac[15]; 92 } hash_map[] = { 93 [NVME_AUTH_HASH_SHA256] = { 94 .len = 32, 95 .hmac = "hmac(sha256)", 96 }, 97 [NVME_AUTH_HASH_SHA384] = { 98 .len = 48, 99 .hmac = "hmac(sha384)", 100 }, 101 [NVME_AUTH_HASH_SHA512] = { 102 .len = 64, 103 .hmac = "hmac(sha512)", 104 }, 105 }; 106 107 const char *nvme_auth_hmac_name(u8 hmac_id) 108 { 109 if (hmac_id >= ARRAY_SIZE(hash_map)) 110 return NULL; 111 return hash_map[hmac_id].hmac; 112 } 113 EXPORT_SYMBOL_GPL(nvme_auth_hmac_name); 114 115 u8 nvme_auth_hmac_id(const char *hmac_name) 116 { 117 int i; 118 119 if (!hmac_name || !strlen(hmac_name)) 120 return NVME_AUTH_HASH_INVALID; 121 122 for (i = 0; i < ARRAY_SIZE(hash_map); i++) { 123 if (!strlen(hash_map[i].hmac)) 124 continue; 125 if (!strncmp(hash_map[i].hmac, hmac_name, 126 strlen(hash_map[i].hmac))) 127 return i; 128 } 129 return NVME_AUTH_HASH_INVALID; 130 } 131 EXPORT_SYMBOL_GPL(nvme_auth_hmac_id); 132 133 size_t nvme_auth_hmac_hash_len(u8 hmac_id) 134 { 135 if (hmac_id >= ARRAY_SIZE(hash_map)) 136 return 0; 137 return hash_map[hmac_id].len; 138 } 139 EXPORT_SYMBOL_GPL(nvme_auth_hmac_hash_len); 140 141 u32 nvme_auth_key_struct_size(u32 key_len) 142 { 143 struct nvme_dhchap_key key; 144 145 return struct_size(&key, key, key_len); 146 } 147 EXPORT_SYMBOL_GPL(nvme_auth_key_struct_size); 148 149 struct nvme_dhchap_key *nvme_auth_extract_key(const char *secret, u8 key_hash) 150 { 151 struct nvme_dhchap_key *key; 152 const char *p; 153 u32 crc; 154 int ret, key_len; 155 size_t allocated_len = strlen(secret); 156 157 /* Secret might be affixed with a ':' */ 158 p = strrchr(secret, ':'); 159 if (p) 160 allocated_len = p - secret; 161 key = nvme_auth_alloc_key(allocated_len, 0); 162 if (!key) 163 return ERR_PTR(-ENOMEM); 164 165 key_len = base64_decode(secret, allocated_len, key->key, true, BASE64_STD); 166 if (key_len < 0) { 167 pr_debug("base64 key decoding error %d\n", 168 key_len); 169 ret = key_len; 170 goto out_free_key; 171 } 172 173 if (key_len != 36 && key_len != 52 && 174 key_len != 68) { 175 pr_err("Invalid key len %d\n", key_len); 176 ret = -EINVAL; 177 goto out_free_key; 178 } 179 180 /* The last four bytes is the CRC in little-endian format */ 181 key_len -= 4; 182 /* 183 * The linux implementation doesn't do pre- and post-increments, 184 * so we have to do it manually. 185 */ 186 crc = ~crc32(~0, key->key, key_len); 187 188 if (get_unaligned_le32(key->key + key_len) != crc) { 189 pr_err("key crc mismatch (key %08x, crc %08x)\n", 190 get_unaligned_le32(key->key + key_len), crc); 191 ret = -EKEYREJECTED; 192 goto out_free_key; 193 } 194 key->len = key_len; 195 key->hash = key_hash; 196 return key; 197 out_free_key: 198 nvme_auth_free_key(key); 199 return ERR_PTR(ret); 200 } 201 EXPORT_SYMBOL_GPL(nvme_auth_extract_key); 202 203 struct nvme_dhchap_key *nvme_auth_alloc_key(u32 len, u8 hash) 204 { 205 u32 num_bytes = nvme_auth_key_struct_size(len); 206 struct nvme_dhchap_key *key = kzalloc(num_bytes, GFP_KERNEL); 207 208 if (key) { 209 key->len = len; 210 key->hash = hash; 211 } 212 return key; 213 } 214 EXPORT_SYMBOL_GPL(nvme_auth_alloc_key); 215 216 void nvme_auth_free_key(struct nvme_dhchap_key *key) 217 { 218 if (!key) 219 return; 220 kfree_sensitive(key); 221 } 222 EXPORT_SYMBOL_GPL(nvme_auth_free_key); 223 224 /* 225 * Start computing an HMAC value, given the algorithm ID and raw key. 226 * 227 * The context should be zeroized at the end of its lifetime. The caller can do 228 * that implicitly by calling nvme_auth_hmac_final(), or explicitly (needed when 229 * a context is abandoned without finalizing it) by calling memzero_explicit(). 230 */ 231 int nvme_auth_hmac_init(struct nvme_auth_hmac_ctx *hmac, u8 hmac_id, 232 const u8 *key, size_t key_len) 233 { 234 hmac->hmac_id = hmac_id; 235 switch (hmac_id) { 236 case NVME_AUTH_HASH_SHA256: 237 hmac_sha256_init_usingrawkey(&hmac->sha256, key, key_len); 238 return 0; 239 case NVME_AUTH_HASH_SHA384: 240 hmac_sha384_init_usingrawkey(&hmac->sha384, key, key_len); 241 return 0; 242 case NVME_AUTH_HASH_SHA512: 243 hmac_sha512_init_usingrawkey(&hmac->sha512, key, key_len); 244 return 0; 245 } 246 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id); 247 return -EINVAL; 248 } 249 EXPORT_SYMBOL_GPL(nvme_auth_hmac_init); 250 251 void nvme_auth_hmac_update(struct nvme_auth_hmac_ctx *hmac, const u8 *data, 252 size_t data_len) 253 { 254 switch (hmac->hmac_id) { 255 case NVME_AUTH_HASH_SHA256: 256 hmac_sha256_update(&hmac->sha256, data, data_len); 257 return; 258 case NVME_AUTH_HASH_SHA384: 259 hmac_sha384_update(&hmac->sha384, data, data_len); 260 return; 261 case NVME_AUTH_HASH_SHA512: 262 hmac_sha512_update(&hmac->sha512, data, data_len); 263 return; 264 } 265 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */ 266 WARN_ON_ONCE(1); 267 } 268 EXPORT_SYMBOL_GPL(nvme_auth_hmac_update); 269 270 /* Finish computing an HMAC value. Note that this zeroizes the HMAC context. */ 271 void nvme_auth_hmac_final(struct nvme_auth_hmac_ctx *hmac, u8 *out) 272 { 273 switch (hmac->hmac_id) { 274 case NVME_AUTH_HASH_SHA256: 275 hmac_sha256_final(&hmac->sha256, out); 276 return; 277 case NVME_AUTH_HASH_SHA384: 278 hmac_sha384_final(&hmac->sha384, out); 279 return; 280 case NVME_AUTH_HASH_SHA512: 281 hmac_sha512_final(&hmac->sha512, out); 282 return; 283 } 284 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */ 285 WARN_ON_ONCE(1); 286 } 287 EXPORT_SYMBOL_GPL(nvme_auth_hmac_final); 288 289 static int nvme_auth_hmac(u8 hmac_id, const u8 *key, size_t key_len, 290 const u8 *data, size_t data_len, u8 *out) 291 { 292 struct nvme_auth_hmac_ctx hmac; 293 int ret; 294 295 ret = nvme_auth_hmac_init(&hmac, hmac_id, key, key_len); 296 if (ret == 0) { 297 nvme_auth_hmac_update(&hmac, data, data_len); 298 nvme_auth_hmac_final(&hmac, out); 299 } 300 return ret; 301 } 302 303 static int nvme_auth_hash(u8 hmac_id, const u8 *data, size_t data_len, u8 *out) 304 { 305 switch (hmac_id) { 306 case NVME_AUTH_HASH_SHA256: 307 sha256(data, data_len, out); 308 return 0; 309 case NVME_AUTH_HASH_SHA384: 310 sha384(data, data_len, out); 311 return 0; 312 case NVME_AUTH_HASH_SHA512: 313 sha512(data, data_len, out); 314 return 0; 315 } 316 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id); 317 return -EINVAL; 318 } 319 320 struct nvme_dhchap_key *nvme_auth_transform_key( 321 const struct nvme_dhchap_key *key, const char *nqn) 322 { 323 struct nvme_auth_hmac_ctx hmac; 324 struct nvme_dhchap_key *transformed_key; 325 int ret, key_len; 326 327 if (!key) { 328 pr_warn("No key specified\n"); 329 return ERR_PTR(-ENOKEY); 330 } 331 if (key->hash == 0) { 332 key_len = nvme_auth_key_struct_size(key->len); 333 transformed_key = kmemdup(key, key_len, GFP_KERNEL); 334 if (!transformed_key) 335 return ERR_PTR(-ENOMEM); 336 return transformed_key; 337 } 338 ret = nvme_auth_hmac_init(&hmac, key->hash, key->key, key->len); 339 if (ret) 340 return ERR_PTR(ret); 341 key_len = nvme_auth_hmac_hash_len(key->hash); 342 transformed_key = nvme_auth_alloc_key(key_len, key->hash); 343 if (!transformed_key) { 344 memzero_explicit(&hmac, sizeof(hmac)); 345 return ERR_PTR(-ENOMEM); 346 } 347 nvme_auth_hmac_update(&hmac, nqn, strlen(nqn)); 348 nvme_auth_hmac_update(&hmac, "NVMe-over-Fabrics", 17); 349 nvme_auth_hmac_final(&hmac, transformed_key->key); 350 return transformed_key; 351 } 352 EXPORT_SYMBOL_GPL(nvme_auth_transform_key); 353 354 /** 355 * nvme_auth_augmented_challenge() - Compute the augmented DH-HMAC-CHAP challenge 356 * @hmac_id: Hash algorithm identifier 357 * @skey: Session key 358 * @skey_len: Length of @skey 359 * @challenge: Challenge value 360 * @aug: Output buffer for the augmented challenge 361 * @hlen: Hash output length (length of @challenge and @aug) 362 * 363 * NVMe base specification 8.3.5.5.4: The augmented challenge is computed 364 * applying the HMAC function using the hash function H() selected by the 365 * HashID parameter ... with the hash of the ephemeral DH key ... as HMAC key 366 * to the challenge C (i.e., Ca = HMAC(H(g^xy mod p), C)). 367 * 368 * As the session key skey is already H(g^xy mod p) per section 8.3.5.5.9, use 369 * it directly as the HMAC key without additional hashing. 370 * 371 * Return: 0 on success, negative errno on failure. 372 */ 373 int nvme_auth_augmented_challenge(u8 hmac_id, const u8 *skey, size_t skey_len, 374 const u8 *challenge, u8 *aug, size_t hlen) 375 { 376 return nvme_auth_hmac(hmac_id, skey, skey_len, challenge, hlen, aug); 377 } 378 EXPORT_SYMBOL_GPL(nvme_auth_augmented_challenge); 379 380 int nvme_auth_gen_privkey(struct crypto_kpp *dh_tfm, u8 dh_gid) 381 { 382 int ret; 383 384 ret = crypto_kpp_set_secret(dh_tfm, NULL, 0); 385 if (ret) 386 pr_debug("failed to set private key, error %d\n", ret); 387 388 return ret; 389 } 390 EXPORT_SYMBOL_GPL(nvme_auth_gen_privkey); 391 392 int nvme_auth_gen_pubkey(struct crypto_kpp *dh_tfm, 393 u8 *host_key, size_t host_key_len) 394 { 395 struct kpp_request *req; 396 struct crypto_wait wait; 397 struct scatterlist dst; 398 int ret; 399 400 req = kpp_request_alloc(dh_tfm, GFP_KERNEL); 401 if (!req) 402 return -ENOMEM; 403 404 crypto_init_wait(&wait); 405 kpp_request_set_input(req, NULL, 0); 406 sg_init_one(&dst, host_key, host_key_len); 407 kpp_request_set_output(req, &dst, host_key_len); 408 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 409 crypto_req_done, &wait); 410 411 ret = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait); 412 kpp_request_free(req); 413 return ret; 414 } 415 EXPORT_SYMBOL_GPL(nvme_auth_gen_pubkey); 416 417 /** 418 * nvme_auth_gen_session_key() - Generate an ephemeral session key 419 * @dh_tfm: Diffie-Hellman transform with local private key already set 420 * @public_key: Peer's public key 421 * @public_key_len: Length of @public_key 422 * @sess_key: Output buffer for the session key 423 * @sess_key_len: Size of @sess_key buffer 424 * @hash_id: Hash algorithm identifier 425 * 426 * NVMe base specification 8.3.5.5.9: The session key Ks shall be computed from 427 * the ephemeral DH key (i.e., g^xy mod p) ... by applying the hash function 428 * H() selected by the HashID parameter ... (i.e., Ks = H(g^xy mod p)). 429 * 430 * Return: 0 on success, negative errno on failure. 431 */ 432 int nvme_auth_gen_session_key(struct crypto_kpp *dh_tfm, 433 const u8 *public_key, size_t public_key_len, 434 u8 *sess_key, size_t sess_key_len, u8 hash_id) 435 { 436 struct kpp_request *req; 437 struct crypto_wait wait; 438 struct scatterlist src, dst; 439 u8 *dh_secret; 440 size_t dh_secret_len, hash_len; 441 int ret; 442 443 hash_len = nvme_auth_hmac_hash_len(hash_id); 444 if (!hash_len) { 445 pr_warn("%s: invalid hash algorithm %d\n", __func__, hash_id); 446 return -EINVAL; 447 } 448 449 if (sess_key_len != hash_len) { 450 pr_warn("%s: sess_key buffer missized (%zu != %zu)\n", 451 __func__, sess_key_len, hash_len); 452 return -EINVAL; 453 } 454 455 dh_secret_len = crypto_kpp_maxsize(dh_tfm); 456 dh_secret = kzalloc(dh_secret_len, GFP_KERNEL); 457 if (!dh_secret) 458 return -ENOMEM; 459 460 req = kpp_request_alloc(dh_tfm, GFP_KERNEL); 461 if (!req) { 462 ret = -ENOMEM; 463 goto out_free_secret; 464 } 465 466 crypto_init_wait(&wait); 467 sg_init_one(&src, public_key, public_key_len); 468 kpp_request_set_input(req, &src, public_key_len); 469 sg_init_one(&dst, dh_secret, dh_secret_len); 470 kpp_request_set_output(req, &dst, dh_secret_len); 471 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 472 crypto_req_done, &wait); 473 474 ret = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait); 475 kpp_request_free(req); 476 477 if (ret) 478 goto out_free_secret; 479 480 ret = nvme_auth_hash(hash_id, dh_secret, dh_secret_len, sess_key); 481 482 out_free_secret: 483 kfree_sensitive(dh_secret); 484 return ret; 485 } 486 EXPORT_SYMBOL_GPL(nvme_auth_gen_session_key); 487 488 int nvme_auth_parse_key(const char *secret, struct nvme_dhchap_key **ret_key) 489 { 490 struct nvme_dhchap_key *key; 491 u8 key_hash; 492 493 if (!secret) { 494 *ret_key = NULL; 495 return 0; 496 } 497 498 if (sscanf(secret, "DHHC-1:%hhd:%*s:", &key_hash) != 1) 499 return -EINVAL; 500 501 /* Pass in the secret without the 'DHHC-1:XX:' prefix */ 502 key = nvme_auth_extract_key(secret + 10, key_hash); 503 if (IS_ERR(key)) { 504 *ret_key = NULL; 505 return PTR_ERR(key); 506 } 507 508 *ret_key = key; 509 return 0; 510 } 511 EXPORT_SYMBOL_GPL(nvme_auth_parse_key); 512 513 /** 514 * nvme_auth_generate_psk - Generate a PSK for TLS 515 * @hmac_id: Hash function identifier 516 * @skey: Session key 517 * @skey_len: Length of @skey 518 * @c1: Value of challenge C1 519 * @c2: Value of challenge C2 520 * @hash_len: Hash length of the hash algorithm 521 * @ret_psk: Pointer to the resulting generated PSK 522 * @ret_len: length of @ret_psk 523 * 524 * Generate a PSK for TLS as specified in NVMe base specification, section 525 * 8.13.5.9: Generated PSK for TLS 526 * 527 * The generated PSK for TLS shall be computed applying the HMAC function 528 * using the hash function H( ) selected by the HashID parameter in the 529 * DH-HMAC-CHAP_Challenge message with the session key KS as key to the 530 * concatenation of the two challenges C1 and C2 (i.e., generated 531 * PSK = HMAC(KS, C1 || C2)). 532 * 533 * Returns 0 on success with a valid generated PSK pointer in @ret_psk and 534 * the length of @ret_psk in @ret_len, or a negative error number otherwise. 535 */ 536 int nvme_auth_generate_psk(u8 hmac_id, const u8 *skey, size_t skey_len, 537 const u8 *c1, const u8 *c2, size_t hash_len, 538 u8 **ret_psk, size_t *ret_len) 539 { 540 size_t psk_len = nvme_auth_hmac_hash_len(hmac_id); 541 struct nvme_auth_hmac_ctx hmac; 542 u8 *psk; 543 int ret; 544 545 if (!c1 || !c2) 546 return -EINVAL; 547 548 ret = nvme_auth_hmac_init(&hmac, hmac_id, skey, skey_len); 549 if (ret) 550 return ret; 551 psk = kzalloc(psk_len, GFP_KERNEL); 552 if (!psk) { 553 memzero_explicit(&hmac, sizeof(hmac)); 554 return -ENOMEM; 555 } 556 nvme_auth_hmac_update(&hmac, c1, hash_len); 557 nvme_auth_hmac_update(&hmac, c2, hash_len); 558 nvme_auth_hmac_final(&hmac, psk); 559 *ret_psk = psk; 560 *ret_len = psk_len; 561 return 0; 562 } 563 EXPORT_SYMBOL_GPL(nvme_auth_generate_psk); 564 565 /** 566 * nvme_auth_generate_digest - Generate TLS PSK digest 567 * @hmac_id: Hash function identifier 568 * @psk: Generated input PSK 569 * @psk_len: Length of @psk 570 * @subsysnqn: NQN of the subsystem 571 * @hostnqn: NQN of the host 572 * @ret_digest: Pointer to the returned digest 573 * 574 * Generate a TLS PSK digest as specified in TP8018 Section 3.6.1.3: 575 * TLS PSK and PSK identity Derivation 576 * 577 * The PSK digest shall be computed by encoding in Base64 (refer to RFC 578 * 4648) the result of the application of the HMAC function using the hash 579 * function specified in item 4 above (ie the hash function of the cipher 580 * suite associated with the PSK identity) with the PSK as HMAC key to the 581 * concatenation of: 582 * - the NQN of the host (i.e., NQNh) not including the null terminator; 583 * - a space character; 584 * - the NQN of the NVM subsystem (i.e., NQNc) not including the null 585 * terminator; 586 * - a space character; and 587 * - the seventeen ASCII characters "NVMe-over-Fabrics" 588 * (i.e., <PSK digest> = Base64(HMAC(PSK, NQNh || " " || NQNc || " " || 589 * "NVMe-over-Fabrics"))). 590 * The length of the PSK digest depends on the hash function used to compute 591 * it as follows: 592 * - If the SHA-256 hash function is used, the resulting PSK digest is 44 593 * characters long; or 594 * - If the SHA-384 hash function is used, the resulting PSK digest is 64 595 * characters long. 596 * 597 * Returns 0 on success with a valid digest pointer in @ret_digest, or a 598 * negative error number on failure. 599 */ 600 int nvme_auth_generate_digest(u8 hmac_id, const u8 *psk, size_t psk_len, 601 const char *subsysnqn, const char *hostnqn, 602 char **ret_digest) 603 { 604 struct nvme_auth_hmac_ctx hmac; 605 u8 digest[NVME_AUTH_MAX_DIGEST_SIZE]; 606 size_t hash_len = nvme_auth_hmac_hash_len(hmac_id); 607 char *enc; 608 size_t enc_len; 609 int ret; 610 611 if (WARN_ON(!subsysnqn || !hostnqn)) 612 return -EINVAL; 613 614 if (hash_len == 0) { 615 pr_warn("%s: invalid hash algorithm %d\n", 616 __func__, hmac_id); 617 return -EINVAL; 618 } 619 620 switch (hash_len) { 621 case 32: 622 enc_len = 44; 623 break; 624 case 48: 625 enc_len = 64; 626 break; 627 default: 628 pr_warn("%s: invalid hash algorithm '%s'\n", 629 __func__, nvme_auth_hmac_name(hmac_id)); 630 return -EINVAL; 631 } 632 633 enc = kzalloc(enc_len + 1, GFP_KERNEL); 634 if (!enc) { 635 ret = -ENOMEM; 636 goto out; 637 } 638 639 ret = nvme_auth_hmac_init(&hmac, hmac_id, psk, psk_len); 640 if (ret) 641 goto out; 642 nvme_auth_hmac_update(&hmac, hostnqn, strlen(hostnqn)); 643 nvme_auth_hmac_update(&hmac, " ", 1); 644 nvme_auth_hmac_update(&hmac, subsysnqn, strlen(subsysnqn)); 645 nvme_auth_hmac_update(&hmac, " NVMe-over-Fabrics", 18); 646 nvme_auth_hmac_final(&hmac, digest); 647 648 ret = base64_encode(digest, hash_len, enc, true, BASE64_STD); 649 if (ret < enc_len) { 650 ret = -ENOKEY; 651 goto out; 652 } 653 *ret_digest = enc; 654 ret = 0; 655 656 out: 657 if (ret) 658 kfree_sensitive(enc); 659 memzero_explicit(digest, sizeof(digest)); 660 return ret; 661 } 662 EXPORT_SYMBOL_GPL(nvme_auth_generate_digest); 663 664 /** 665 * nvme_auth_derive_tls_psk - Derive TLS PSK 666 * @hmac_id: Hash function identifier 667 * @psk: generated input PSK 668 * @psk_len: size of @psk 669 * @psk_digest: TLS PSK digest 670 * @ret_psk: Pointer to the resulting TLS PSK 671 * 672 * Derive a TLS PSK as specified in TP8018 Section 3.6.1.3: 673 * TLS PSK and PSK identity Derivation 674 * 675 * The TLS PSK shall be derived as follows from an input PSK 676 * (i.e., either a retained PSK or a generated PSK) and a PSK 677 * identity using the HKDF-Extract and HKDF-Expand-Label operations 678 * (refer to RFC 5869 and RFC 8446) where the hash function is the 679 * one specified by the hash specifier of the PSK identity: 680 * 1. PRK = HKDF-Extract(0, Input PSK); and 681 * 2. TLS PSK = HKDF-Expand-Label(PRK, "nvme-tls-psk", PskIdentityContext, L), 682 * where PskIdentityContext is the hash identifier indicated in 683 * the PSK identity concatenated to a space character and to the 684 * Base64 PSK digest (i.e., "<hash> <PSK digest>") and L is the 685 * output size in bytes of the hash function (i.e., 32 for SHA-256 686 * and 48 for SHA-384). 687 * 688 * Returns 0 on success with a valid psk pointer in @ret_psk or a negative 689 * error number otherwise. 690 */ 691 int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len, 692 const char *psk_digest, u8 **ret_psk) 693 { 694 static const u8 default_salt[NVME_AUTH_MAX_DIGEST_SIZE]; 695 static const char label[] = "tls13 nvme-tls-psk"; 696 const size_t label_len = sizeof(label) - 1; 697 u8 prk[NVME_AUTH_MAX_DIGEST_SIZE]; 698 size_t hash_len, ctx_len; 699 u8 *hmac_data = NULL, *tls_key; 700 size_t i; 701 int ret; 702 703 hash_len = nvme_auth_hmac_hash_len(hmac_id); 704 if (hash_len == 0) { 705 pr_warn("%s: invalid hash algorithm %d\n", 706 __func__, hmac_id); 707 return -EINVAL; 708 } 709 if (hmac_id == NVME_AUTH_HASH_SHA512) { 710 pr_warn("%s: unsupported hash algorithm %s\n", 711 __func__, nvme_auth_hmac_name(hmac_id)); 712 return -EINVAL; 713 } 714 715 if (psk_len != hash_len) { 716 pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len); 717 return -EINVAL; 718 } 719 720 /* HKDF-Extract */ 721 ret = nvme_auth_hmac(hmac_id, default_salt, hash_len, psk, psk_len, 722 prk); 723 if (ret) 724 goto out; 725 726 /* 727 * HKDF-Expand-Label (RFC 8446 section 7.1), with output length equal to 728 * the hash length (so only a single HMAC operation is needed) 729 */ 730 731 hmac_data = kmalloc(/* output length */ 2 + 732 /* label */ 1 + label_len + 733 /* context (max) */ 1 + 3 + 1 + strlen(psk_digest) + 734 /* counter */ 1, 735 GFP_KERNEL); 736 if (!hmac_data) { 737 ret = -ENOMEM; 738 goto out; 739 } 740 /* output length */ 741 i = 0; 742 hmac_data[i++] = hash_len >> 8; 743 hmac_data[i++] = hash_len; 744 745 /* label */ 746 static_assert(label_len <= 255); 747 hmac_data[i] = label_len; 748 memcpy(&hmac_data[i + 1], label, label_len); 749 i += 1 + label_len; 750 751 /* context */ 752 ctx_len = sprintf(&hmac_data[i + 1], "%02d %s", hmac_id, psk_digest); 753 if (ctx_len > 255) { 754 ret = -EINVAL; 755 goto out; 756 } 757 hmac_data[i] = ctx_len; 758 i += 1 + ctx_len; 759 760 /* counter (this overwrites the NUL terminator written by sprintf) */ 761 hmac_data[i++] = 1; 762 763 tls_key = kzalloc(psk_len, GFP_KERNEL); 764 if (!tls_key) { 765 ret = -ENOMEM; 766 goto out; 767 } 768 ret = nvme_auth_hmac(hmac_id, prk, hash_len, hmac_data, i, tls_key); 769 if (ret) { 770 kfree_sensitive(tls_key); 771 goto out; 772 } 773 *ret_psk = tls_key; 774 out: 775 kfree_sensitive(hmac_data); 776 memzero_explicit(prk, sizeof(prk)); 777 return ret; 778 } 779 EXPORT_SYMBOL_GPL(nvme_auth_derive_tls_psk); 780 781 MODULE_DESCRIPTION("NVMe Authentication framework"); 782 MODULE_LICENSE("GPL v2"); 783